AWS - CodeBuild Post Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

CodeBuild

For more information, check:

AWS - Codebuild Enum

Check Secrets

Ikiwa credentials zimewekwa katika CodeBuild ili kuunganishwa na Github, Gitlab au Bitbucket kwa njia ya personal tokens, passwords au OAuth token access, hizi credentials zitatunzwa kama secrets katika secret manager.
Kwa hivyo, ikiwa una access ya kusoma secret manager utaweza kupata secrets hizi na pivot kwenye platform iliyounganishwa.

AWS - Secrets Manager Privesc

Abuse CodeBuild Repo Access

Ili kusanidi CodeBuild, itahitaji access to the code repo itakayokuwa ikitumia. Platform mbalimbali zinaweza kuwa zinahost code hii:

The CodeBuild project must have access to the configured source provider, either via IAM role of with a github/bitbucket token or OAuth access.

An attacker with elevated permissions in over a CodeBuild could abuse this configured access to leak the code of the configured repo and others where the set creds have access.
Ili kufanya hivyo, attacker angehitaji tu kubadilisha repository URL kwa kila repo ambazo config credentials zina access (kumbuka kuwa the aws web itawaorodhesha zote kwako):

Na kubadilisha Buildspec commands ili exfiltrate kila repo.

Warning

Hata hivyo, hii kazi ni ya kurudia-rudia na ya kuchosha na ikiwa github token ilisanidiwa na write permissions, attacker hatawezi (ab)use hizo permissions kwani hana access kwa token.
Au ana? Angalia sekta inayofuata

Leaking Access Tokens from AWS CodeBuild

You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:

aws codebuild list-source-credentials

AWS Codebuild - Token Leakage

Utekelezaji wa PR isiyo ya kuaminika kupitia usanidi mbaya wa kichujio cha webhook

Ikiwa vichujio vya webhook ni dhaifu, washambuliaji wa nje wanaweza kupata PR zao zijengwe katika miradi ya CodeBuild yenye ruhusa za juu na kisha kutekeleza arbitrary code katika CI.

AWS CodeBuild - Untrusted PR Webhook Bypass (CodeBreach-style)

codebuild:DeleteProject

Mshambuliaji anaweza kufuta mradi mzima wa CodeBuild, kusababisha kupoteza usanidi wa mradi na kuathiri maombi yanayotegemea mradi huo.

aws codebuild delete-project --name <value>

Potential Impact: Kupoteza usanidi wa mradi na kusababisha kusimamishwa kwa huduma kwa maombi yanayotumia mradi uliyefutwa.

codebuild:TagResource , codebuild:UntagResource

Mshambuliaji anaweza kuongeza, kubadilisha, au kuondoa tags kutoka kwa rasilimali za CodeBuild, akivuruga mgawanyo wa gharama wa shirika lako, ufuatiliaji wa rasilimali, na sera za udhibiti wa ufikiaji zinazotegemea tags.

aws codebuild tag-resource --resource-arn <value> --tags <value>
aws codebuild untag-resource --resource-arn <value> --tag-keys <value>

Athari Inayoweza Kutokea: Kuvuruga ugawaji wa gharama, ufuatiliaji wa rasilimali, na sera za udhibiti wa upatikanaji zenye msingi wa tag.

codebuild:DeleteSourceCredentials

Mshambuliaji anaweza kufuta cheti za chanzo kwa Git repository, na kuathiri utendakazi wa kawaida wa programu zinazotegemea repository.

aws codebuild delete-source-credentials --arn <value>

Athari Inayowezekana: Kuvurugika kwa utendaji wa kawaida kwa programu zinazotegemea repository iliyokumbwa kutokana na kuondolewa kwa cheti za chanzo.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks